Advertisement
Promo

Security threats Toolkit in association with http://ad.doubleclick.net/clk;214682528;14505427;f?http://uk.blackberry.com/ataglance/security/

The man who transformed internet security

Robert Vamosi CNET News.com

Published: 16 Jul 2008 15:19 BST

  • Email
  • Trackback
  • Clip Link
  • Print friendly
  • Post Comment
The man who transformed internet security

Security researcher Dan Kaminsky still won't comment on the specific nature of a flaw within the Domain Name System, for fear criminal hackers might exploit it before the worldwide network of name servers worldwide and client systems that contact them can be updated. However, he did go public with some details on 8 July, 2008, backed by simultaneous patch releases from Microsoft, Cisco and others.

There have been other multiparty patch releases, but never has there been one on such a massive scale. It took someone with the gravitas and reputation of Kaminsky to pull together the affected parties.

What he and others he took into his confidence did over the past few months was not only responsible but extraordinary. The flaw Kaminsky discovered could allow criminal hackers to guess the transaction ID of any request to a DNS server for a particular domain, such as one used for a bank or an e-commerce site, and then re-direct that request to another site, a phishing site. It would do so silently, evading most anti-phishing technology because the change would be made, not at the desktop level, but at the DNS server itself.

Certainly this is big, and certainly one would want to get the news out as soon as possible — but Kaminsky took the time to inform the proper vendors and authorities and, only after they were ready with patches, did he disclose some of what he had discovered.

While Kaminsky was willing to work with the vendors, he wasn't willing to give them forever

That isn't to say what Kaminsky did was perfect; he himself admits there are lessons to be learned and acted upon the next time this happens. Whether you agree with the severity of the flaw Kaminsky disclosed last Tuesday, I think all future vulnerability disclosures could benefit from his example.

Kaminsky, director of penetration testing at IOActive, is no stranger to vulnerabilities. Over the years he's found a fair share and says that, in the case of the DNS flaw, he wasn't looking for it. He told me that after three days of testing he knew he had something important. At that point, early in 2008, he had a few options.

One was to tell the vendor (or, in this case, vendors) directly. Ari Takanen of Codenomicon told me he prefers that security researchers keep vulnerabilities between them and the vendor. Vendors, Takanen said, have their own development cycles, and for a researcher to burst into a room or go public and demand that everyone work on his or her vulnerability is unrealistic. While Kaminsky was willing to work with the vendors, he wasn't willing to give them forever.

Another option was to sell the vulnerability to a third party such as TippingPoint's Zero Day Initiative. ZDI acts as the middleman, talking with the vendor and communicating with the researcher. The advantage here is that a researcher with no connections to the affected vendor can communicate the problem clearly.

ZDI has been credited with several vulnerabilities, such as those announced by Apple and Microsoft. Kaminsky has no qualms with those...

Next

Previous

1 2


  • Email
  • Trackback
  • Clip Link
  • Print friendly
  • Post Comment

Did you find this article useful?
51 out of 60 people found this useful


Full Talkback thread

1 comment

  1. Very well done. CraigBowen

Company/Topic Alerts

Create a new alert from the list below:




Video icon

Video

Sentry Posts Blog

Nasa hacker petition presented to Numb...

Sting's wife Trudie Styler and Janis Sharp have presented a petition to Number 10 calling for Nasa hacker Gary McKinnon not to be extradited to the US. Styler, and Sharp, who is... More

Post a comment

UK to appoint cyber-sec tsar?

The UK is to appoint a cyber security tsar along the lines of the US, according to a story in the Telegraph this morning. The story is similar to one that appeared in the Guardian... More

Post a comment

Nokia Siemens denies Iran web snoop

Nokia Siemens has denied providing deep packet inspection capabilities to the Iranian authorities, following an article in the Wall Street Journal on Monday. The WSJ published the... More

Post a comment


Skip Sub Navigation Links to CNET Brand Links

Help

Become part of the ZDNet community.

Newsletters